Thursday, July 31, 2014

Why you can't mitgate volumetric floods in a true DDoS ( with local gear )

In this blog, I will discuss some of the reasons why cloud based mitigation is always superior to local mitigation.

In a large scaled DoS event and where the attack(s) has many sources attacking your servers, you are a big disadvantage. Take this 1st drawing;

You web sever comes under a severe intense attack. In these 2above types of attacks ( L4 and L7 ), we are at at mercy of the number of sources, duration of the attacks and the capabilities of our local mitigation gear, which is typically limited to an exterior IPS and or UTM-firewall. None of which are true DoS mitigation devices btw.

note: Even if you could afford to buy mitigation gear ( fortiddos, radware, f5, Arbor, etc....) you probably will be under staffed and lack experience with mitigation concepts & concepts. DDoS mitigation, requires full time monitoring & analysis.

Okay sounds good so far, right ?

We have mitigation gear, but what happens in reality. As you stumble around trying to fight back the attacking sources that are spoof'd or non-spoof'd , your WAN uplink(s) are saturated.

What this means at the end of the day, you might block the attacks ( score 1 for you ) but the attack depletes your wan uplink capacity with junk traffic ( score one for the attackers ), so even if they didn't take down the web farm for example, just the meer flooding of your wan uplinks prevents legit clients from accessing your website & in a reasonable and responsive time.

In almost of all of these attacks that I've seen over the course of 7 years, they always resulted in higher latency/response times, with link saturation and spikes. While your IPS sensor are trying to mitigate, your client's are not getting thru or exhibiting slower page load times.

Now in a cloud based DoS protection, we have the ability to redirect traffic into the provider cloud first, and apply some type of mitigation gear and strategy. This allows for the provider to take the punches, kicks, and blows and they will pass only legit clean traffic to your web server.

See drawing #2 of a cloud based mitigation

The same attacks are under way, but now with a cloud provider, and redirection into the provider space, we can now let them mitigate the attacks.